b'Hotline Review                  June 28, 2011 \n\n\nHotline Complaint Regarding a Defense Contract \n\n  Audit Agency Employee Conducting Private \n\nFor-Profit Tax Business Activity on Government \n\n    Time and Using Government Equipment \n\n\n           Report No. D-2011-6-008\n\n\x0cAdditional Information\nThe Department of Defense Office of the Deputy Inspector General for Policy and\nOversight, Audit Policy and Oversight, prepared this report. If you have questions,\ncontact the signer of the report.\n\nSuggestions for Future Reviews\nTo suggest ideas for or to request future reviews, contact the Office of the Assistant\nInspector General for Audit Policy and Oversight at (703) 604-8760 (DSN 664-8760) or\nfax (703) 604-8982. Ideas and requests can also be mailed to:\n\n                        Office of the Assistant Inspector General\n                             for Audit Policy and Oversight\n                        Department of Defense Inspector General\n                          400 Army Navy Drive (Room 833)\n                               Arlington, VA 22202-4704\n\n\n\n\nAcronyms and Abbreviations\nDCAA                         Defense Contract Audit Agency\nGAO                          Government Accountability Office\nOMB                          Office of Management and Budget\nPII                          Personally Identifiable Information\n\x0c                                 INSPECTOR GENERAL \n\n                                DEPARTMENT OF DEFENSE \n\n                                  400 ARMY NAVY DRIVE \t                     JUN 2 8 2011\n                              ARLINGroN, VIRG INIA 22202-4704\n\n\n\n\nMEMORANDUM FOR DIRECTOR, DEFENSE CONTRACT AUDIT AGENCY\n\nSUBJECT: \t Hotline Complaint Regarding A Defense Contract Audit Agency Employee\n           Conducting Private For-Profit Tax Business Activity on Government Time\n           and Using Government Equipment (RepOit No. 0-2011-6-008)\n\nWe are providing this report for your information and use. We reviewed a Defense\nHotline complaint and substantiated the allegation that a Defense Contract Audit Agency\nemployee was conducting private for-profit tax business activities on Government time\nand using Government equipment. During our review, we also found unauthorized\npersonally identifiable information and unauthorized software on the employee\'s\nGovernment-issued computer.\n\nWe considered management comments on a draft of this report when preparing the final\nreport. The comments conformed to the requirements of DOD Directive 7650.3 and left\nno unresolved issues. Therefore, additional comments are not required .\n\nWe appreciate the courtesies extended to the staff. Please direct questions to\n\nM,. C.wly" R. D.,;,,,    ~~~~/.8 87: :1~\t\n                                       lG;:C:\';-_\'\n                                              I _ _ _ __                         _\n\n\n\n                                Randolph R. Stone, SES\n                                Deputy Inspector General\n                                for Policy and Oversight\n\x0cReport No. D-2011-6-008 (Project No. D2010-DIP0AI-0253.000)                       June 28, 2011\n\n              Results in Brief: Hotline Complaint\n              Regarding A Defense Contract Audit Agency\n              Employee Conducting Private For-Profit Tax\n              Business Activity on Government Time and\n              Using Government Equipment\n                                                           Institute of Certified Public Accountants\nWhat We Did                                                to determine whether any Federal or\nWe reviewed the DOD Hotline complaint                      State laws, regulations, policies, or rules\nalleging that a Defense Contract Audit Agency              were broken.\n(DCAA) employee conducted private for-profit            \xe2\x80\xa2\t Determine how to mitigate the risk of\ntax business activity on Government time and               unauthorized personally identifiable\nusing Government equipment.                                information from entering the\n                                                           information systems network.\nWhat We Found\n                                                     Management Comments and\nWe substantiated the allegation. We found that\nthe employee was conducting activities               Our Response\nassociated with his private for-profit tax           In responding to an April 11, 2011 draft of this\nbusiness on Government time and using                report, the Director, DCAA agreed with all\nGovernment equipment. During our review, we          findings and recommendations. Therefore, no\nalso found:                                          further comments are required.\n\n   \xe2\x80\xa2\t unauthorized personally identifiable\n      information on the subject\xe2\x80\x99s Government\n      computer; and                                               United States Department of Defense\n   \xe2\x80\xa2\t unauthorized software on the subject\xe2\x80\x99s                          Office of Inspector General\n                                                                  Project No. D2010-DIP0AI-0253.000\n      Government computer.                                             Report No. D-2011-6-008\n                                                                             June 28, 2011\n\n\nWhat We Recommend\nWe recommend that the Director, Defense\nContract Audit Agency:\n   \xe2\x80\xa2\t Take appropriate action against the\n       employee for ethics breaches, and\n       determine how to mitigate the risk\n       vulnerability of auditors that have\n       private businesses from performing\n       private business tasks on Government\n       time while teleworking.\n   \xe2\x80\xa2\t Contact the U.S. Department of the\n       Treasury, the specific State Board of\n       Public Accountancy, and the American\n\n                                                 i\n\x0c   Table of Contents\n\nResults in Brief                                                         i\n\n\nIntroduction                                                             1\n\n\n       Objective                                                         1\n\n       Background                                                        1\n\n\nFinding A. Conducting Private For-Profit Tax Business Activity on\n\n           Government Time and Using Government Equipment                2\n\n\n       Recommendations                                                   4\n\n\nFinding B. Personally Identifiable Information on Government Computer    6\n\n\n       Recommendations                                                   9\n\n\nFinding C. Unauthorized Software on Government Computer                 12 \n\n\n       Recommendations                                                  12 \n\n\nAppendix\n\n       Scope and Methodology                                            14 \n\n       Prior Coverage                                                   14 \n\n\nManagement Comments\n\n       Defense Contract Audit Agency                                    16 \n\n\x0cIntroduction\nObjectives\nWe conducted this review to determine whether the complainant\xe2\x80\x99s allegation concerning\nan employee conducting private for-profit tax business activity on Government time and\nusing Government equipment could be substantiated. The complainant, who is\nanonymous, specifically alleged that:\n\n   \xe2\x80\xa2\t the employee was regularly heard talking to clients on the phone; and\n   \xe2\x80\xa2\t the employee was using a Government fax machine to send and receive client\n      documents.\n\nSee Appendix for details regarding our scope and methodology.\n\nBackground\nDefense Contract Audit Agency (DCAA)\nDCAA is a Defense agency under the authority, direction, and control of the Under\nSecretary of Defense (Comptroller)/Chief Financial Officer, Department of Defense. In\naccordance with DOD Directive 5105.36, DCAA is responsible for performing contract\naudits for DOD, and providing accounting and financial advisory services regarding\ncontracts and subcontracts to all DOD Components responsible for procurement and\ncontract administration. These services are provided in connection with negotiation,\nadministration, and settlement of contracts and subcontracts. In addition, DCAA also\nprovides contract audit services to other Federal agencies, as appropriate.\n\nOrganizationally, DCAA includes a Headquarters, a Field Detachment, and five regions:\nCentral, Eastern, Mid-Atlantic, Northeastern, and Western. Each region has several field\naudit offices. DCAA consists of approximately 4,800 people located at more than 300\nfield audit offices throughout the United States, Europe and the Pacific.\n\nDCAA Internal Review Team\nThe DCAA Internal Review Team is responsible for investigating allegations of\nwrongdoing made against agency employees. The Internal Review Team received the\ncomplaint addressed in this report and forwarded it to us for action because of a possible\nperceived independence concern.\n\n\n\n\n                                             1\n\n\x0cFinding A. Conducting Private For-Profit Tax\nBusiness Activity on Government Time and\nUsing Government Equipment\nWe substantiated the allegation in the DOD Hotline complaint that a DCAA employee\nwas conducting private for-profit tax business activity on Government time and using\nGovernment equipment by:\n\n       \xe2\x80\xa2\t seizing the computer of the subject of the complaint and analyzing its\n          contents;\n       \xe2\x80\xa2\t interviewing and recording the subject of the complaint under oath; and\n       \xe2\x80\xa2\t applying applicable laws, policies, and regulations to this situation.\n\n\nDCAA Ethics Policy\nEthics policies within the Executive branch of the Federal Government directs the use of\nGovernment time and property for authorized purposes only. DCAA follows and does\nnot further supplement DOD\xe2\x80\x99s ethics policies. DOD ethics policies are contained in\nDOD 5500.7-R, Joint Ethics Regulation (JER), August 1, 1993 [with changes 1-6, dated\nMarch 23, 2006]. Chapter 2 of the Joint Ethics Regulation which supplements 5 C.F.R.\nPart 2635, Standards of Ethical Conduct for Employees of the Executive Branch,\nprohibits the use of Government time and property except for authorized Government\npurposes. Although neither of these references provide, as an example, the specific strict\nprohibition of performing tasks associated with a private for-profit business on\nGovernment time and using Government property, the DOD\xe2\x80\x99s Office of General Counsel\nEncyclopedia of Ethical Failure, dated July 2010, lists numerous examples where Federal\nemployees have been punished for doing so.\n\nDCAA Policy on Conducting Private For-Profit Business\nActivities on Government Equipment\nDCAA policy does not permit employees to conduct private for-profit business activities\non Government equipment. DCAA Regulations No. 4140.2, Use of Government Office\nEquipment, dated September 13, 2002, and No. 8500.1, Information Assurance (IA)\nProgram, dated September 24, 2009, both strictly prohibit the use of Government\nequipment to maintain or support a personal private for-profit business or activity.\n\nAnalysis of Content on the Subject\xe2\x80\x99s Government-\nIssued Computer\nWe substantiated the allegation through our analysis of the subject\xe2\x80\x99s Government-issued\ncomputer. We seized the subject\xe2\x80\x99s Government-issued computer and our analysis\n\n\n\n\n                                            2\n\n\x0crevealed 149 documents associated with the subject\xe2\x80\x99s private for-profit tax business.\nThese documents were in the form of:\n\n       \xe2\x80\xa2\t   107 e-mails (many having attachments),\n       \xe2\x80\xa2\t   27 Adobe PDF documents,\n       \xe2\x80\xa2\t   12 Microsoft Excel documents, and\n       \xe2\x80\xa2\t   3 Microsoft Word documents.\n\nInterview of the Subject\nWe further substantiated the allegation by performing an in-person interview with the\nsubject of the complaint. Throughout the interview, the subject admitted to performing\ntasks associated with his private for-profit tax business on Government time and using\nGovernment equipment. During the interview, the subject confirmed the following:\n\n       \xe2\x80\xa2\t He was a Certified Public Accountant and licensed to practice.\n       \xe2\x80\xa2\t The name of the company, e-mail address and telephone number used in his\n          private for-profit tax business.\n       \xe2\x80\xa2\t A listing of 29 names of individuals or companies obtained from the subject\xe2\x80\x99s\n          Government computer, and whether or not they were clients of his private\n          for-profit tax business.\n       \xe2\x80\xa2\t Certifications of annual training in ethics, privacy, and information assurance\n          (authorized Government computer use).\n       \xe2\x80\xa2\t A selection of the 149 documents pertaining to the subject\xe2\x80\x99s private for-profit\n          tax business found on his Government computer.\n\nSubject\xe2\x80\x99s Sworn Statement Concerning His Private For-\nProfit Tax Business Activities on Government Time and\nEquipment\nDuring our interview of the subject, he acknowledged using Government time and\nequipment to perform tasks associated with his private for-profit tax business. The\nsubject also acknowledged his electronically-signed annual ethics and information\nassurance training documents, and admitted to knowing that it was improper to use\nGovernment time and equipment to perform tasks associated with a private for-profit\nbusiness.\n\nDCAA Risk Vulnerability\nA risk vulnerability exists within DCAA for auditors that have private for-profit\nbusinesses and telework to perform tasks associated with their private businesses on\nGovernment time. Although teleworking did not cause the situation being reported here,\nsince the employee violated Government ethics rules while working at their Government\nduty site and also while teleworking, it increases the vulnerability that an unethical\nemployee will misuse Government time. DCAA employs approximately 4,000 auditors,\nwhich is more than any other Federal entity. Because of DCAA\xe2\x80\x99s mission, organizational\nstructure, and auditors with private for-profit businesses that telework, the risk\n\n\n                                            3\n\n\x0cvulnerability has escalated. In recent years, it has become more common for DCAA\nauditors to telework. Combining the three factors [auditor, private for-profit business,\nand telework] affords an environment that allows auditors to perform tasks associated\nwith their private for-profit businesses on Government time.\n\nOur review covered a 6-year period, and during this period, we found that, in general, the\nmore the subject teleworked, the less documents and e-mails associated with the subject\xe2\x80\x99s\nprivate for-profit tax business were transferred on to his Government computer. At the\npeak of the subject\xe2\x80\x99s teleworking \xe2\x80\x93 154 days in 2008 \xe2\x80\x93 the subject had only one\ndocument associated with his private for-profit tax business on his Government\ncomputer. Compare this to 2006, the year that had the most documents on his\ngovernment computer, 56, and only 61 days of teleworking. When the number of days\nteleworking began to decrease to 133 days from 2008 to 2009, the documents being\ntransferred to the subject\xe2\x80\x99s Government computer associated with his private for-profit\ntax business began to increase, with 8 documents transferred to his government computer.\n\nThere is no reason to believe that in 2008 (when the subject had only one private for-\nprofit business document on his Government computer) the subject stopped performing\ntasks associated with his private for-profit tax business while teleworking. To the\ncontrary, the reason there was a drop in private for-profit tax business activity on the\nsubject\xe2\x80\x99s Government computer between 2006-2009 was due to the subject being at home\nwith immediate access to his personal computer, client account information, and home\ntelephone. The subject attested to the fact that during this period, he had no reason to\nsend his private for-profit tax business clients\xe2\x80\x99 documents to his official Government\ncomputer because he had immediate access to his personal computer, client account\ninformation, and home telephone while teleworking.\n\nRecommendations, Management Comments, and Our\nResponse\nA. We recommend that the Director, Defense Contract Audit Agency:\n\n       1. Take appropriate action against the subject.\n\n       Management Comments\n       The Director, DCAA concurred. DCAA proposed suspending the employee\n       without pay for a significant period and reducing his grade level. DCAA also\n       revoked subject\xe2\x80\x99s telework authority for a minimum of one year.\n\n       Our Response\n       The Director, DCAA comments were responsive and the actions meet the intent\n       of the recommendation. Upon final adjudication of the suspension and reduction\n       in grade, we request that DCAA provide us the documentation supporting these\n       actions.\n\n\n\n\n                                             4\n\n\x0c2. Determine what action to take to mitigate risk vulnerability.\n\nManagement Comments\nThe Director, DCAA concurred. The Director sent out a memorandum to all\nDCAA employees reiterating DCAA ethics rules and restating his position to hold\naccountable individuals who break these rules. DCAA also will research the\nfeasibility of implementing an online reporting tool for all employees to report\ntheir outside employment. Finally, DCAA will review their policies and\nprocedures for computer and network access to determine if internal controls need\nto be enhanced to cover time spent out of the duty station.\n\nOur Response\nThe Director, DCAA comments were responsive and the actions meet the intent\nof the recommendation. By September 30, 2011, we request DCAA notify us of\nthe results of the research on the feasibility of an online reporting tool for\nreporting outside employment.\n\n\n\n\n                                    5\n\n\x0cFinding B. Personally Identifiable\nInformation (PII) on Government Computer\nDuring our review, we found that the subject\xe2\x80\x99s Government-issued computer contained\npersonally identifiable information belonging to 30 individuals of his private for-profit\ntax business, to include their social security numbers, names, home addresses, and\ntelephone numbers. The subject forwarded this information to his Government computer\nvia e-mail from his personal business account to have it for reference at work. This\naction may have exposed his clients\xe2\x80\x99 personal information to unauthorized recipients and\nplaced their identity in jeopardy.\n\nFederal Government Policy on Personally Indentifiable\nInformation on Government Systems\nOffice of Management and Budget\nPII and its protection became the focus of the Executive Office of the President in 2006.\nThe President issued Executive Order 13402, Strengthening Federal Efforts to Protect\nAgainst Identity Theft, dated May 10, 2006. This order established the Identity Theft\nTask Force and required the task force to formulate a strategic plan. The Office of\nManagement and Budget (OMB) also issued Memorandum 06-15, Safeguarding\nPersonally Identifiable Information, dated May 22, 2006, directing all departments and\nagencies to review their policies, procedures, and controls on PII. As soon as the task\nforce issued its strategic plan to the President on April 23, 2007, OMB issued a\nmemorandum to all executive departments and agencies \xe2\x80\x93 OMB Memorandum 07-16,\nSafeguarding Against and Responding to the Breach of Personally Identifiable\nInformation, dated May 22, 2007 \xe2\x80\x93 directing the identification, control, and reduction of\nPII. It also directed the development of guidance to report breaches of PII.\n\nDepartment of Defense\nDOD implemented OMB M-06-15 by issuing Office of the Secretary of Defense\nAdministration and Management Memorandum, Safeguarding Personally Identifiable\nInformation, dated June 15, 2006, directing all Components to review their policies,\nprocedures, and controls on PII. One year later, DOD implemented OMB M-07-16 by\nissuing Office of the Secretary of Defense Administration and Management\nMemorandum, Safeguarding Against and Responding to the Breach of Personally\nIdentifiable Information, dated September 21, 2007. Emphasizing DOD\xe2\x80\x99s serious intent\nto safeguard PII within the department, the Office of the Secretary of Defense\nAdministration and Management reissued the exact same September 21, 2007\nmemorandum\xe2\x80\x99s guidance twice on September 25, 2008 and June 5, 2009. The guidance\ncontained in these memoranda augment DOD\xe2\x80\x99s privacy guidance contained in DOD\nDirective 5400.11, DOD Privacy Program, dated May 8, 2007; and DOD 5400.11-R,\nDepartment of Defense Privacy Program, dated May 14, 2007. The DOD guidance\n\n\n\n                                            6\n\n\x0cdirects the review of PII holdings and provides incident reporting criteria if there is a\nbreach.\n\nDefense Contract Audit Agency\nDCAA implementation of OMB\xe2\x80\x99s and DOD\xe2\x80\x99s policy on PII is contained in DCAA\nInstruction No. 5410.10, DCAA Privacy Program, dated February 15, 2011. This\nguidance specifically states:\n\n   \xe2\x80\xa2\t DCAA will collect, maintain, use, and disseminate personal information only\n      when it is relevant and necessary to achieve a purpose required by statute or\n      Executive Order.\n   \xe2\x80\xa2\t The Chief Information Officer is responsible for ensuring that personal\n      information in electronic form is only acquired and maintained when necessary.\n   \xe2\x80\xa2\t The procedures to follow in the case of actual or suspected compromise of\n\n      personally identifiable information.\n\n\nThe mission of DCAA does not encompass the collection of private citizens\xe2\x80\x99 personal tax\ninformation. What was not to be foreseen in the above policies was a situation where a\nFederal employee would introduce private citizens\xe2\x80\x99 PII onto a Federal Government\nagency\xe2\x80\x99s information system, as is the case in this report. All policies focused on\nidentifying, reducing, and where possible, eliminating PII on Government systems. The\npolicies also focused on how to report a breach of an agency\xe2\x80\x99s authorized PII holdings.\nThe subject of this review, without any authorization, improperly introduced private\ncitizens\xe2\x80\x99 PII into the DCAA network.\n\nInternal Revenue Code Concerning Disclosure of Tax\nReturn Information\nInternal Revenue Code, 26 U.S.C. \xc2\xa77216 (2010), Penalty for Disclosure or Use of Tax\nReturn Information, states:\n\n       Any person who is engaged in the business of preparing, or providing\n       services in connection with the preparation of, returns of the tax\n       imposed by chapter 1, or any person who for compensation prepares\n       any such return for any other person, and who knowingly or recklessly\n       discloses any information furnished to him for, or in connection with,\n       the preparation of any such return, or uses any such information for\n       any purpose other than to prepare, or assist in preparing, any such\n       return, shall be guilty of a misdemeanor, and upon conviction thereof,\n       shall be fined not more than $1,000, or imprisoned not more than\n       1 year, or both, together with the costs of prosecution. The exception\n       where this shall not apply is if such disclosure is made pursuant to any\n       other provision of this title or pursuant to an order of the court.\n\nInternal Revenue Code, 26 U.S.C. \xc2\xa76713 (2010), Disclosure or Use of Information by\nPreparers of Returns, states:\n\n\n                                              7\n\n\x0c       If any person who is engaged in the business of preparing, or\n       providing services in connection with the preparation of, returns of tax\n       imposed by chapter 1, or any person who for compensation prepares\n       any such return for any other person, and who discloses any\n       information furnished to him for, or in connection with, the\n       preparation of any such return, or uses any such information for any\n       purpose other than to prepare, or assist in preparing, any such return\n       shall pay a penalty of $250 for each such disclosure or use, but the\n       total amount imposed under this subsection on such a person for any\n       calendar year shall not exceed $10,000. The exception where this\n       shall not apply is if such disclosure is made pursuant to any other\n       provision of this title or pursuant to an order of the court.\n\nAlthough the subject of this report did not disclose taxpayer information to a specific\nindividual, the subject\xe2\x80\x99s actions in forwarding his clients\xe2\x80\x99 tax information to his official\nGovernment computer via e-mail may be considered reckless disclosure. This review\nobtained access to the confidential taxpayer information, and DCAA information\ntechnology personnel could have come across this confidential information since all\ne-mails are controlled by DCAA network administrators.\n\nState Board of Public Accountancy Rules of\nProfessional Conduct\nState Board of Accountancy Rules of Professional Conduct, Chapter 30-X-6-.04,\nResponsibilities to Clients, states:\n\n       A registrant shall not disclose any confidential information obtained in\n       the course of a professional engagement except with the consent of the\n       client.\n\nAlthough the subject of this report did not disclose his clients\xe2\x80\x99 information to a specific\nindividual, the fact that the subject transferred this confidential information to his\nGovernment computer exposed the sensitive information to Government officials\nconducting the official investigation, and possibly to DCAA information technology\npersonnel with access to e-mails on the DCAA network. The subject is licensed by a\nspecific State\xe2\x80\x99s Board of Public Accountancy.\n\nAmerican Institute of Certified Public Accountants Code\nof Professional Conduct\nAmerican Institute of Certified Public Accountants Code of Professional Conduct, ET\nSection 301 \xe2\x80\x93 Confidential Client Information, Subsection .01 Rule 301 \xe2\x80\x93 Confidential\nClient Information states:\n\n       A member in public practice shall not disclose any confidential client\n       information without the specific consent of the client.\n\n\n                                              8\n\n\x0cAlthough the subject of this report did not disclose his clients\xe2\x80\x99 information to a specific\nindividual, the fact that the subject transferred this confidential information to his\nGovernment computer exposed the sensitive information to Government officials\nconducting the official investigation, and possibly to DCAA information technology\npersonnel who have access to e-mails on the DCAA network. The subject is a Certified\nPublic Accountant and a member of the American Institute of Certified Public\nAccountants.\n\nSubject\xe2\x80\x99s Sworn Statement Concerning Personally\nIdentifiable Information on His Government-Issued\nComputer\nWe questioned the subject about the PII we found on his Government-issued computer.\nWe specifically mentioned 31 names, showing the subject the actual documents\ncontaining the social security numbers, names, home addresses, and telephone numbers\nof private citizens who were clients of the subject\xe2\x80\x99s private for-profit tax business. These\ndocuments consisted of:\n\n    \xe2\x80\xa2   Letters.\n    \xe2\x80\xa2   IRS Forms W-2, W-4, 1040 (with Schedules), 1099, 4868, 8812, and 8863.\n    \xe2\x80\xa2   State Income Tax forms.\n    \xe2\x80\xa2   E-Trade Financial stockbroker statements.\n    \xe2\x80\xa2   Weekly employee pay stubs.\n\nWhen shown the actual documents, the subject acknowledged all of the documents but\none. In the document not acknowledged, the subject stated that the identification number\nwas not a social security number, but rather a Federal Employer Identification Number\nfor a business. When asked why these documents were on his Government-issued\ncomputer, the subject stated that he forwarded them via e-mail to his Government\ncomputer so he could have the documents available for reference at work while talking to\na client, a lawyer, or a State revenue office on the phone. The subject acknowledged that\nhis actions constituted misuse of Government time and equipment. Further, the subject\nacknowledged the document showing that he had received annual training on the\nauthorized use of his Government-issued computer, and stated that he understood that PII\nwas not authorized to be on his Government-issued computer.\n\nRecommendations, Management Comments, and Our\nResponse\nB. We recommend that the Director, Defense Contract Audit Agency:\n\n        1. Contact the U.S. Department of the Treasury to determine:\n\n               a. whether any Federal laws or regulations have been violated; and\n\n\n\n\n                                             9\n\n\x0c       b.\t whether the affected taxpayers are required to be contacted\n           concerning this breach.\n\nManagement Comments\nThe Director, DCAA concurred. DCAA will forward a copy of this report with\nthe subject\xe2\x80\x99s identifying data to the U.S. Department of the Treasury Inspector\nGeneral\xe2\x80\x99s office for action.\n\nOur Response\nThe Director, DCAA comments were responsive and the actions meet the intent\nof the recommendation. We request that DCAA include us as a courtesy copy\naddressee on the transmittal letter.\n\n2.\t Contact the specific State Board of Public Accountancy to determine\n    whether any State laws or rules have been violated.\n\nManagement Comments\nThe Director, DCAA concurred. DCAA will forward a copy of this report with\nthe subject\xe2\x80\x99s identifying data to the applicable State(s) Board of Public\nAccountancy for action.\n\nOur Response\nThe Director, DCAA comments were responsive and the actions meet the intent\nof the recommendation. We request that DCAA include us as a courtesy copy\naddressee on the transmittal letter.\n\n3.\t Contact the American Institute of Certified Public Accountants to\n    determine whether any rules have been violated.\n\nManagement Comments\nThe Director, DCAA concurred. DCAA will forward a copy of this report with\nthe subject\xe2\x80\x99s identifying data to the American Institute of Certified Public\nAccountants for action.\n\nOur Response\nThe Director, DCAA comments were responsive and the actions meet the intent\nof the recommendation. We request that DCAA include us as a courtesy copy\naddressee on the transmittal letter.\n\n4.\t Take appropriate action against the subject.\n\nManagement Comments\nThe Director, DCAA concurred. DCAA proposed suspending the employee\nwithout pay for a significant period and reducing his grade level. DCAA also\nrevoked subject\xe2\x80\x99s telework authority for a minimum of one year.\n\n\n\n                                   10\n\n\x0cOur Response\nThe Director, DCAA comments were responsive and the actions meet the intent\nof the recommendation. Upon final adjudication of the suspension and reduction\nin grade, we request that DCAA provide us the documentation supporting these\nactions.\n\n5.\t Have the DCAA Chief Information Officer:\n\n       a.\t Determine how to mitigate risk of unauthorized personally\n           identifiable information being transmitted onto, or from, DCAA\xe2\x80\x99s\n           information systems network(s).\n\n       b.\t Determine how to purge all of the subject\xe2\x80\x99s e-mails, e-mail\n           attachments, and documents containing unauthorized personally\n           identifiable information from DCAA systems and his\n           Government-issued computer.\n\n       c.\t Determine whether a breach notification to the United States\n           Computer Emergency Readiness Team is required.\n\n       d.\t Determine whether a breach notification to affected individuals is\n           required.\n\nManagement Comments\nThe Director, DCAA concurred with Recommendations 5a through 5d. The\nDCAA Chief Information Officer ordered research to ensure that DCAA is using\nthe most current, available methods to mitigate risk of unauthorized PII being\ntransmitted onto or from its information systems, such as logical access control,\nencryption of data, and training. The Chief Information Officer further stated that\nDCAA continually re-evaluates their system controls as additional tools become\navailable. The Chief Information Officer confirmed that all the unauthorized PII\nhas been removed. Finally, the Chief Information Officer applied applicable\npolicies to determine if a breach had occurred at DCAA, and if so, did it need to\nbe reported, and did the affected individuals need to be notified. The Chief\nInformation Officer determined that a breach did not occur, and therefore, United\nStates Computer Emergency Readiness Team and affected individuals did not\nneed to be notified by DCAA.\n\nOur Response\nThe Director, DCAA comments were responsive and the actions meet the intent\nof the recommendations.\n\n\n\n\n                                    11\n\n\x0cFinding C. Unauthorized Software on\nGovernment Computer\nDuring our review, we found unauthorized software on the subject\xe2\x80\x99s Government\ncomputer \xe2\x80\x93 specifically, five games. The subject was able to maintain these games on his\nGovernment computer because the games were embedded in Microsoft Excel\nspreadsheets. Having and playing games on a Government computer is unauthorized, a\nwaste of taxpayers\xe2\x80\x99 dollars, and can expose the network to malware/viruses.\n\nDCAA Policy on Unauthorized Software on Government\nComputers\nDCAA policy does not permit unauthorized software on its computers. DCAA\nRegulation No. 8500.1, Information Assurance (IA) Program, dated September 24, 2009,\nspecifically states that no user will introduce or use unauthorized software on the DCAA\ninformation system. DCAA Rules for Computer Users [Enclosure 4 to DCAAR No.\n8500.1], which users are required to read and certify annually, states:\n\n   \xe2\x80\xa2\t Do not introduce or use unauthorized software, firmware, or hardware onto the\n      system or enclave.\n   \xe2\x80\xa2\t Users must not play computer games.\n\nSubject\xe2\x80\x99s Sworn Statement Concerning Games on His\nGovernment Computer\nDuring our interview of the subject, he acknowledged the five games we found on his\ncomputer. We asked the subject how these games became embedded in a Microsoft\nExcel file, and whether this was done to circumvent information technology rules\nforbidding unauthorized software on Government computers. The subject stated that he\ndid not know how the games were embedded into a Microsoft Excel file, and that he\nreceived these games via e-mail from someone many years ago. The subject agreed that\nthe games were embedded most likely to get around computer security rules. When\nshown a copy of his electronically-signed annual computer use training and certification,\nhe acknowledged receiving the annual training and admitted to knowing that games were\nnot authorized to be on his Government-issued computer.\n\nRecommendations, Management Comments, and Our\nResponse\nC. We recommend that the Director, Defense Contract Audit Agency:\n\n       1.\t take appropriate action against the subject; and\n\n\n\n\n                                           12\n\n\x0cManagement Comments\nThe Director, DCAA concurred. DCAA proposed suspending the employee\nwithout pay for a significant period and reducing his grade level. DCAA also\nrevoked subject\xe2\x80\x99s telework authority for a minimum of one year.\n\nOur Response\nThe Director, DCAA comments were responsive and the actions meet the intent\nof the recommendation. Upon final adjudication of the suspension and reduction\nin grade, we request that DCAA provide us the documentation supporting these\nactions.\n\n2.\t have the DCAA Chief Information Officer determine how to mitigate risk\n    of employees having unauthorized software (e.g., games) on their\n    Government computers.\n\nManagement Comments\nThe Director, DCAA concurred. The DCAA Chief Information Officer ordered a\nreview of the current internal controls in place and will continue to evaluate\nchanging technology in the future.\n\nOur Response\nThe Director, DCAA comments are responsive and the actions meet the intent of\nthe recommendation.\n\n\n\n\n                                   13\n\n\x0cAppendix. Scope and Methodology\nWe reviewed the Defense Hotline complaint to determine whether we could substantiate\nthe allegation. Our review covered the period 2005 through 2010. As part of our review,\nwe:\n\n       \xe2\x80\xa2\t seized the subject\xe2\x80\x99s Government computer and analyzed its contents (which\n          included searching the entire hard drive for Microsoft Word and Microsoft\n          Excel files; Adobe PDF files; e-mails in the current Microsoft Outlook Inbox\n          and Saved Mail.pst, Archive.pst; Microsoft Outlook calendars; and installed\n          software);\n       \xe2\x80\xa2\t interviewed the subject\xe2\x80\x99s current and past supervisors;\n       \xe2\x80\xa2\t interviewed a DCAA Regional Director;\n       \xe2\x80\xa2\t interviewed and recorded the subject under oath;\n       \xe2\x80\xa2\t reviewed applicable laws, policies, and regulations pertaining to the misuse of\n          Government time and equipment, personally identifiable information, and\n          unauthorized software on a Government computer;\n       \xe2\x80\xa2\t reviewed the subject\xe2\x80\x99s Official Personnel File maintained by the Defense\n          Finance and Accounting Service;\n       \xe2\x80\xa2\t reviewed the subject\xe2\x80\x99s annual Confidential Financial Disclosure Reports; and\n       \xe2\x80\xa2\t reviewed the subject\xe2\x80\x99s certifications of annual training in ethics, privacy, and\n          information assurance (authorized Government computer use).\n\nWe performed this review from October 2010 through March 2011. The review was\nconducted in accordance with the Council of the Inspectors General on Integrity and\nEfficiency Quality Standards for Inspection and Evaluation.\n\nUse of Computer-Processed Data\nWe did not rely on computer-processed data to perform this audit.\n\nPrior Coverage\nDuring the last 5 years, no prior coverage has been conducted on a Federal employee\nusing Government time and equipment to perform tasks associated with a private for-\nprofit business or unauthorized software on a Government computer. However, the\nGovernment Accountability Office (GAO) has issued 4 reports during the last 5 years\ndiscussing personally identifiable information. Unrestricted GAO reports can be\naccessed over the Internet at http://www.gao.gov.\n\nGAO\nGAO Report No. GAO-09-759T, \xe2\x80\x9cIdentity Theft: Governments Have Acted to Protect\nPersonally Identifiable Information, But Vulnerabilities Remain,\xe2\x80\x9d June 17, 2009\n\n\n\n\n                                           14\n\n\x0cGAO Report No. GAO-08-795T, \xe2\x80\x9cPrivacy: Congress Should Consider Alternatives for\nStrengthening Protection of Personally Identifiable Information,\xe2\x80\x9d June 18, 2008\n\nGAO Report No. GAO-08-536, \xe2\x80\x9cPrivacy: Alternatives Exist for Enhancing Protection of\nPersonally Identifiable Information,\xe2\x80\x9d May 19, 2008\n\nGAO Report No. GAO-08-343, \xe2\x80\x9cInformation Security: Protecting Personally Identifiable\nInformation,\xe2\x80\x9d January 25, 2008\n\n\n\n\n                                         15\n\n\x0cDefense Contract Audit Agency Management\nComments\n\n\n\n\n                    16 \n\n\x0c17 \n\n\x0c18 \n\n\x0c19 \n\n\x0c\x0c'